Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
GHSA-cgrx-mc8f-2prm CVE-2025-52881 HIGH 23 days ago
### Impact ### This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc i...
go
67
Dependabot PRs
WSO2 Carbon Mediation vulnerable to XML External Entity (XXE) attacks
GHSA-fvfq-q238-j7j3 CVE-2025-10713 MODERATE 23 days ago
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses...
maven
No PRs yet
runc container escape with malicious config due to /dev/console mount and related races
GHSA-qw9x-cqr3-wc7r CVE-2025-52565 HIGH 23 days ago
### Impact ### This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a differ...
go
66
Dependabot PRs
runc container escape via "masked path" abuse due to mount race conditions
GHSA-9493-h29p-rfm2 CVE-2025-31133 HIGH 23 days ago
### Impact ### The OCI runtime specification has a `maskedPaths` feature that allows for files or directories to be "masked" by placing a mount o...
go
66
Dependabot PRs
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
GHSA-frmv-pr5f-9mcr CVE-2025-64459 CRITICAL 23 days ago
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `...
pypi
79
Dependabot PRs
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
GHSA-qw25-v68c-qjf3 CVE-2025-64458 HIGH 23 days ago
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a conseq...
pypi
79
Dependabot PRs
Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode
GHSA-m35w-xx8c-6xc7 CVE-2025-58337 MODERATE 23 days ago
An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that...
pypi
No PRs yet
expr-eval does not restrict functions passed to the evaluate function
GHSA-jc85-fpwf-qm7x CVE-2025-12735 HIGH 23 days ago
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variab...
npm
No PRs yet
Kgateway transformation policy template can emit files from the container
GHSA-5pmx-7r6r-wfqq MODERATE 24 days ago
## Summary The transformation policy template feature in Kgateway versions through 2.0.4 allows users with TrafficPolicy creation permissions to c...
go
No PRs yet
kgateway is missing xDS authorization
GHSA-4766-x535-jw3r CVE-2025-64323 MODERATE 24 days ago
## Summary The xDS interface in Kgateway versions 2.0.0 through 2.0.4 lacks authentication, allowing any client with unrestricted network access t...
go
No PRs yet
Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH
GHSA-j2pc-v64r-mv4f LOW 24 days ago
### Summary The expected `protocDigest` is ignored when protoc is taken from the `PATH`. ### Details The documentation for the `protocDigest` para...
maven
No PRs yet
MARIN3R: Cross-Namespace Vulnerability in the Operator
GHSA-gf93-xccm-5g6j CVE-2025-64171 HIGH 24 days ago
## Summary Cross-namespace Secret access vulnerability in DiscoveryServiceCertificate allows users to bypass RBAC and access Secrets in unauthoriz...
go
No PRs yet
OctoPrint vulnerable to XSS in Action Commands Notification and Prompt
GHSA-crvm-xjhm-9h29 CVE-2025-64187 MODERATE 24 days ago
### Impact OctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript in...
pypi
No PRs yet
Dosage vulnerable to a Directory Traversal through crafted HTTP responses
GHSA-4vcx-3pj3-44m7 CVE-2025-64184 HIGH 24 days ago
### Impact When downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, ...
pypi
No PRs yet
DSPy does not properly restrict file reads
GHSA-vvw2-h478-xwr3 CVE-2025-12695 MODERATE 24 days ago
The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes ...
pypi
No PRs yet
Jellysweep uses uncontrolled data in image cache API endpoint
GHSA-xc93-q32j-cpcg CVE-2025-64178 HIGH 24 days ago
### Impact The `/api/images/cache` which is used to download media posters from the server accepted an `url` parameter, which was directly passed t...
go
No PRs yet
Shaman has soundness issues and is unmaintained
GHSA-7vjm-6qgq-3mrq LOW 24 days ago
`shaman::cryptoutil::write_u64v_le` and other functions mentioned above cannot garantee memory safety of get_unchecked later if both length are zer...
cargo
No PRs yet
lakeFS affected by unauthenticated access to API usage metrics
GHSA-h238-5mwf-8xw8 CVE-2025-64179 MODERATE 24 days ago
### Impact Missing authentication in the `/api/v1/usage-report/summary` endpoint allows anyone to retrieve aggregate API usage counts. While no se...
go
No PRs yet
motionEye vulnerable to RCE via unsanitized motion config parameter
GHSA-j945-qm58-4gjx CVE-2025-60787 HIGH 24 days ago
## Summary A command injection vulnerability in MotionEye allows attackers to achieve Remote Code Execution (RCE) by supplying malicious values in ...
pypi
No PRs yet
OpenMage vulnerable to XSS in Admin Notifications
GHSA-qv78-c8hc-438r CVE-2025-64174 MODERATE 25 days ago
### Summary OpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an adm...
packagist
No PRs yet
MantisBT unauthorized disclosure of private project column configuration
GHSA-g582-8vwr-68h2 CVE-2025-62520 MODERATE 25 days ago
### Impact Due to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project manage...
packagist
No PRs yet
MantisBT lacks verification when changing a user's email address
GHSA-q747-c74m-69pr CVE-2025-55155 MODERATE 25 days ago
When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. ### I...
packagist
No PRs yet
@react-native-community/cli has arbitrary OS command injection
GHSA-399j-vxmf-hjvr CVE-2025-11953 CRITICAL 25 days ago
The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that...
npm
No PRs yet
MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length
GHSA-r3jf-hm7q-qfw5 CVE-2025-46556 MODERATE 25 days ago
A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely lo...
packagist
No PRs yet
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
GHSA-4v8w-gg5j-ph37 CVE-2025-47776 HIGH 25 days ago
Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpre...
packagist
No PRs yet
Liferay Portal and DXP do not check permissions of images in a blog entry
GHSA-xf7m-v66q-76w8 CVE-2025-62275 MODERATE 27 days ago
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 20...
maven
No PRs yet
Liferay Portal and DXP use an incorrect cache-control header
GHSA-6533-fhr2-f38h CVE-2025-62276 MODERATE 27 days ago
The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023...
maven
No PRs yet
Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page
GHSA-q285-wfpg-93hr CVE-2025-62267 MODERATE 27 days ago
Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, a...
maven
No PRs yet
Agno session state overwrites between different sessions/users
GHSA-vw84-hprm-cxmm CVE-2025-64168 HIGH 27 days ago
### Impact Under certain conditions (under high concurrency), when `session_state` is passed to an Agent or Team during run or arun calls, a race c...
pypi
No PRs yet
Liferay Portal Vulnerable to Reflected XSS via the selectedLanguageId Parameter
GHSA-2j97-4jmq-c4xf CVE-2025-62264 MODERATE 28 days ago
Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 thr...
maven
No PRs yet
Ansible does not collect garbage after playbook run
GHSA-f556-49jc-4rvc CVE-2020-25635 MODERATE 28 days ago
A flaw was found in Ansible Base when using the aws_ssm connection plugin as its garbage collector is not happening after the playbook run is compl...
pypi
No PRs yet
cryptidy allows code execution via untrusted data due to pickle.loads
GHSA-97w9-v595-3h5q CVE-2025-63675 MODERATE 28 days ago
cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encry...
pypi
No PRs yet
Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation
GHSA-2qfp-q593-8484 CVE-2025-6176 HIGH 28 days ago
Scrapy versions up to 2.13.3 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The prote...
pypi
5
Dependabot PRs
Liferay Portal is vulnerable to XSS in the Blogs widget
GHSA-56jv-4ww3-65mw CVE-2025-62265 MODERATE 28 days ago
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay...
maven
No PRs yet
sqls-server/sqls is vulnerable to command injection in the config command
GHSA-f9f4-5859-29mf CVE-2025-61141 HIGH 28 days ago
sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment vari...
go
No PRs yet
Liferay Portal is vulnerable to DNS rebinding attacks
GHSA-f5vh-4rj2-w8r8 CVE-2025-62266 MODERATE 29 days ago
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through ...
maven
No PRs yet
Keras keras.utils.get_file API is vulnerable to a path traversal attack
GHSA-28jp-44vh-q42h CVE-2025-12060 HIGH 29 days ago
The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utili...
pypi
No PRs yet
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
GHSA-g59r-24g3-h7cm CVE-2025-64112 HIGH 29 days ago
### Impact Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject maliciou...
packagist
No PRs yet
node-tar has a race condition leading to uninitialized memory exposure
GHSA-29xp-372q-xqph CVE-2025-64118 MODERATE 29 days ago
### Summary Using `.t` (aka `.list`) with `{ sync: true }` to read tar entry contents returns uninitialized memory contents if tar file was change...
npm
4
Dependabot PRs
gnark-crypto allows unchecked memory allocation during vector deserialization
GHSA-fj2x-735w-74vq HIGH 29 days ago
The issue has been reported by @raefko from @fuzzinglabs. Excerpts from the report: > A critical vulnerability exists in the gnark-crypto library's...
go
No PRs yet
Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode
GHSA-cf57-c578-7jvv CVE-2025-64716 MODERATE 29 days ago
### Summary When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. Whil...
go
No PRs yet
n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
GHSA-xgp7-7qjq-vg47 CVE-2025-62726 HIGH 29 days ago
### Impact A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a m...
npm
No PRs yet
Byaidu PDFMathTranslate vulnerable to open redirect
GHSA-pfrv-63w8-q7rq CVE-2025-50736 LOW 29 days ago
An open redirect vulnerability exists in Byaidu PDFMathTranslate v1.9.9 that allows attackers to craft URLs that cause the application to redirect ...
pypi
No PRs yet
Apache Airflow has a command injection vulnerability in "example_dag_decorator"
GHSA-v3c9-j6h9-66v4 CVE-2025-54941 MODERATE 29 days ago
An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execu...
pypi
No PRs yet
Apache Airflow's create action can upsert existing Pools/Connections/Variables
GHSA-gp5f-cx7h-8q6f CVE-2025-62503 MODERATE 29 days ago
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
pypi
No PRs yet
Apache Airflow `/api/v2/dagReports` executes DAG Python in API
GHSA-273c-4g26-4jpm CVE-2025-62402 MODERATE 29 days ago
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environm...
pypi
No PRs yet
Liferay Portal vulnerable to password enumeration
GHSA-8hw3-ghwv-crfh CVE-2025-62257 MODERATE 29 days ago
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 202...
maven
No PRs yet
Drupal Acquia DAM allows Forceful Browsing
GHSA-x957-32v9-m7vg CVE-2025-9954 HIGH 29 days ago
Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing. This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
packagist
No PRs yet
Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass
GHSA-jqmq-fpwv-p925 CVE-2025-12466 HIGH 29 days ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypas...
packagist
No PRs yet
Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)
GHSA-h72q-cq3w-h3wc CVE-2025-12083 MODERATE 29 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-...
packagist
No PRs yet